AEGISES · Sovereign Compute Architecture

Topology

Four machines. One role each.

Decomposed so each box does what only it does well, and so sovereignty is structural — the perimeter you own gates the platform you rent.

🛡️

Network Gate

Perimeter

Gates every packet. Issues identity. Receives the telemetry the rest of the network emits.

NixOS · mini-ITX + programmable NIC

🤖

Orchestration

The Agent

Runs Hermes persistently. Holds skill memory and tool servers. Swappable for Qthonic over time.

NixOS · any Nix host

🍎

Inference

Model Serving

Apple Silicon + MLX. A single role — serve LLM inference — joined to the network as a leaf.

macOS · Apple Silicon

🧪

Lab

Iteration

Everything is designed virtually before it ships. Builds the Gate image; outputs deploy unchanged.

macOS · ephemeral by design

Meta-architecture

Capability → Type → Adapter

The architecture lives at the type layer — an intermediate representation between what must be true and the product that fills it. Software is a dated, swappable backend target.

Frontend · durable

Capability

What must be true. Never changes.

→

IR · the architecture

Implementation Type

The abstract role + its constraint. The contract Qthonic must honor.

→

Backend · dated

Adapter

Today's software. Acquired, relicensed, replaced.

Why it matters: when a vendor relicenses, you swap the adapter and the port is untouched. When Qthonic matures, it enters as a new adapter for an existing type — a column edit, not a redesign. The Hermes→Qthonic swap is built into the shape.

Build ladder

Thirteen phases. Each one stoppable.

Stop at any phase and still hold a coherent posture. The first six are secure-enough — ship them. The rest is the perf/sec long tail, layered in over time.

Secure enough · ship first~3 binaries, 100% ownable

Substrate & lockdown

Nothing reaches the host unsolicited — and you can undo anything.

NixOS

Declarative OS

Reproducible gate, config in git

nftables

Stateful packet filter

Default-deny inbound out of the box

NixOS generations

System rollback

One-command undo of a lockout

Gateway

The box becomes a router; the LAN shares one WAN IP.

nftables NAT

Network address translation

Stateful conntrack, single WAN IP

Segmentation

Trusted / compute / untrusted isolated — no lateral pivot.

systemd-networkd

L2 segmentation · 802.1Q

Declarative VLAN interfaces

nftables zones

Inter-zone policy

Default inter-zone deny

LAN services

Hosts auto-configure and resolve names.

dnsmasq

Address assignment · DHCP

Per-zone scopes

dnsmasq

Resolver / forwarder

Name resolution + blocklist filtering

Remote access

You get in securely — zero open inbound ports.

WireGuard

Encrypted tunnel

In-kernel, modern crypto, one peer config

Agent containment

The threat-model phase: a rogue agent can't reach arbitrary hosts.

nftables egress

Egress policy · allowlist

Default-deny outbound on the compute zone

Perf / sec long tail · layer over timeidentity, observability, hardening, line-rate

Identity & time

Machines prove who they are; logs become tamper-evident.

chrony + NTS

Authenticated NTP

Spoof-resistant timestamps

step-ca

Private certificate authority

Cert-based auth replaces IP trust

Identity-aware policy

Egress gated by workload identity and L7 — not just IP.

k3s

Container orchestrator

Declarative service substrate

Cilium

Identity-aware policy engine (L3–L7)

Upgrades P5 IP-egress to identity + FQDN

Observability

See every flow and process — by identity. This is your audit evidence.

Hubble

Flow-telemetry exporter

Identity-tagged connections

Tetragon

Runtime security monitor

Process events + enforcement

OTel Collector

Telemetry pipeline

One agent, all signals

Grafana

Dashboard platform

Legible state · Perses is the hedge

Loki

Log aggregation

Searchable cross-machine logs

Hardening

Attack surface shrinks; DNS becomes private and tamper-evident.

nix-mineral

OS hardening baseline

CIS-style kernel/sysctl lockdown

Unbound + DNSSEC

Validating resolver

Provably authentic answers

Unbound DoT

Encrypted DNS transport

ISP can't read or tamper queries

Unbound + feeds

DNS filtering · threat feed

Known-bad domains null-routed

CrowdSec

Behavioral IP reputation

Adaptive blocking + shared intel

auditd + laurel

Audit event logging

Tamper-evident forensic trail

P10

Detection & response

Catch what gets through — inline.

Suricata

IDS / IPS

Signature + protocol anomaly, multi-threaded

P11

Resilience

Survive disk loss, compromise, and your own mistakes.

restic

Encrypted dedup backup

Client-side encryption, cloud backends

Backblaze B2

Object storage (cloud)

Ciphertext-only; rotatable destination

sops + age

Secrets encryption

Per-value, flake-native, in git

pyinfra

Config management

Idempotent drift correction

P12

Performance — line-rate & beyond

From software fast-path to policy enforced in silicon — the Qthonic target.

nftables flowtable

Connection fast-path offload

Established flows bypass netfilter

sysctl tuning

Kernel network params

conntrack, buffers, BBR, somaxconn

ethtool / tuned

NIC hardware offload

RSS, HW checksum, IRQ affinity

Cilium XDP

XDP fast-path

Drop at the driver — DDoS-resistant

ConnectX-5 → BlueField

SmartNIC / DPU offload

Policy at the NIC — the Qthonic-TPR target

Migration ladder

Policy artifacts survive every hardware stage.

The same declarative policy moves from commodity silicon to your own substrate. Hardware evolves; the expression layer stays declarative.

Now

Commodity NIC

eBPF policy, kernel-resident. ~$80–180 used ConnectX-5.

→

+12 mo

DPU

Same policy, DPU-resident. Used BlueField-2.

→

+24 mo

P4 SmartNIC

Programmable pipeline. True line-rate typed policy.

→

Endgame

Qthonic FPGA

TPR-native typed policy. The substrate becomes the regulation.

Sovereign
Compute Stack a capability-typed network architecture you can own, audit, and outlive its vendors